3 Answers
3

The firewall as configured by iptables is ephermal. It's never saved and must be reloaded on each boot. Normally there is a script in init.d that loads the iptables rules on boot. When flushing the rules with iptables -F, that only flushes what the Kernel knew, but doesn't affect how the firewall will be setup on next boot. Every distribution is different. Fedora uses a init.d script called /etc/init.d/iptables that just runs iptables-restore /etc/sysconfig/iptables or something like that. Ubuntu uses ufw which calls a series of iptables commands based on local configuration. If all you did was run iptables commands and didn't store anything to a file, then a reboot should restore the firewall. If you know which init.d script, you can probably just reload that script to restore instead of a full reboot.

so you mean after i reboot the computer, it will just return to previous state. the same as i execute iptables -F ?
–
Jeg BagusApr 1 '11 at 7:08

Yes and no. Yes, simply rebooting should restore your firewall state to normal if all you did was play with the iptables command which does not save anything to a file. No, -F does not restore your firewall to it's normal boot-up state. It flushes any rules in the current table, but does not load any rules that might have been loaded during boot.
–
penguin359Apr 1 '11 at 7:13

i afraid if i reboot and enable the firewall, i cannot login again the same situation with when i execute iptables -F. its really a scary moment.
–
Jeg BagusApr 1 '11 at 7:30

Without knowing your Linux distribution, I can't help you with specifics on your firewall, but you could add "iptables -A INPUT -p tcp --dport 22 -j ACCEPT" to some start-up script, like /etc/rc.local that runs at the end of boot. Once you reboot, you can test everything and also see if removing that rule locks you out. Run "sudo shutdown -r +5" and then put the command in the background with Ctrl-Z followed by bg. Lastly, remove the above rule with "iptables -D INPUT -p tcp --dport 22 -j ACCEPT" If you get locked out, your server will reboot in 5 minutes and re-add the rule from rc.local.
–
penguin359Apr 1 '11 at 7:52

i use centos, i tagged it at begining of my question.
–
Jeg BagusApr 1 '11 at 8:04

i don't know if it saved before. but can we still restore it back even it not saved?
–
Jeg BagusApr 1 '11 at 6:52

You can visit those directory and check out the files inside. + Actually it's a distro-dependent, so I gave this reference only as an example which relates to RHEL and its "relatives".
–
poigeApr 1 '11 at 6:54

User228724, welcome to Server Fault! That said, I do hope you'll go on to look at some less-crusty questions that need your answers more. I'm not criticising your answer per se, but this is a three-year old question with an accepted answer. It's also explicitly about CentOS, in which context your answer is definitely wrong (CentOS keeps the firewall rules in /etc/sysconfig/iptables). We value your input, but it'd be even more appreciated on other questions.
–
MadHatterJul 1 '14 at 8:03